Linux Kernel RDMA/rxe Memory Region Page Size Handling Vulnerability

A vulnerability in the Linux kernel's RDMA/rxe implementation affects memory regions (MRs) with page sizes different from the system default. The issue arises because the function rxe_set_page() increments by the MR's page size, while the page_list maintains individual page pointers, each representing a standard page size. This discrepancy leads to incorrect input/output virtual address conversions, particularly when the MR page size is smaller or larger than the system page size. The vulnerability can cause mismanagement of memory access, potentially leading to application crashes or undefined behavior.

Impact

Exploitation of this vulnerability can cause a kernel panic, disrupting system stability and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by creating a memory region with a page size that is either smaller or larger than the system's default page size. This can be done by using the RDMA (Remote Direct Memory Access) features of the Linux kernel, specifically through the RXE (Reliable eXchange Engine) implementation. Once the memory region is created, the incorrect IOVA (Input/Output Virtual Address) to VA (Virtual Address) conversion can be observed, leading to the expected virtual address not being correctly calculated. This miscalculation can be verified by accessing the memory region, which will result in a kernel panic.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.